Arpc

Security checks across malware telemetry and agentic risk

Overview

This agent-messaging skill is mostly coherent, but it asks the agent to handle powerful OpenClaw credentials and promotes unverified remote installer execution.

Install only if you trust the offgrid.ing installer and arpc binary. Keep the OpenClaw bridge disabled unless you specifically need it, avoid pasting gateway tokens or session keys into chat, inspect or verify installer content before running it, and rotate any OpenClaw token that may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (12)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The guide instructs operators to retrieve a live OpenClaw gateway token from environment variables and local config files, then reuse it to configure a bridge. That expands the skill from ordinary ARP setup into credential harvesting and propagation of a sensitive secret, which could let the bridge or any exposed logs/configs access the user's OpenClaw instance.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The guide tells the agent to obtain a session key from active session listings or infer it from local session history files, including inspecting channel/context metadata. This accesses unrelated local conversation state and enables bridging into an existing session, which is beyond normal install/setup and creates a risk of cross-session access or privacy compromise.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The documentation recommends `curl ... | bash`, which executes code fetched over the network directly in a shell without inspection or integrity verification. In a messaging/configuration skill, this expands the trust boundary significantly and can lead to arbitrary code execution if the remote server, transport, or distribution path is compromised.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs users to execute a remote installer directly with `curl ... | bash`, which bypasses review of the downloaded code and grants arbitrary code execution to whatever the server returns at that moment. In a skill context, this is especially dangerous because it normalizes unsafe installation behavior and could lead to full compromise of the host if the endpoint is malicious or later compromised.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Piping a remote installer directly into bash executes unreviewed code fetched over the network with no integrity verification or inspection step. If the hosting domain, transport, or script is compromised, the user may execute arbitrary code immediately.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The instructions normalize reading and reusing a sensitive gateway token before any strong, prominent warning at the extraction point. This encourages exposing secrets in terminal output, agent responses, shell history, or logs during routine setup.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The troubleshooting section includes a shell snippet that automatically edits systemd service files with sed and reloads systemd, changing persistence and restart behavior on the host. Even though presented as repair guidance, it causes host-level configuration changes without an explicit warning, backup step, or recommendation to review the service file first, which can lead to unintended service disruption or persistence changes.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The document recommends piping a remotely fetched installer script directly into bash, which executes unreviewed network content immediately. If the hosting domain, transport, or upstream script is compromised, users can be induced to run arbitrary code on their machine during troubleshooting.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This repeats the same remote-installer pattern in a troubleshooting path for missing systemd service files, again normalizing execution of unverified network-delivered shell code. Repetition in troubleshooting guidance increases the chance that users will execute it reflexively during system repair, amplifying the risk of arbitrary code execution.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The update section includes a remote installer pipeline but provides no warning that it will execute downloaded code locally. Users following maintenance guidance may treat this as routine, increasing the likelihood of unsafe execution and reducing informed consent around the RCE risk.

Ssd 3

High

Confidence: 98% confidence
Finding: The guide explicitly directs reading an authentication token from environment variables or local config and reusing it later, which is direct secret extraction and handling by the agent. In an agent skill context, this is especially dangerous because it trains the agent to access and potentially disclose credentials from the local environment.

Ssd 3

High

Confidence: 96% confidence
Finding: The guide instructs the agent to collect a session key from CLI output, local session files, or directly from the user, then use it for bridge configuration. Session identifiers tied to active contexts can grant unintended access or linkage to live conversations, so harvesting them from local artifacts is sensitive-data access beyond installation guidance.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal